Tackle internal fraud

Although hackers and phishing attacks make the headlines, almost 78% of fraud by individuals against UK organisations is committed by employees.

Although hackers and phishing attacks make the headlines, almost 78% of fraud by individuals against UK organisations is committed by employees. Most businesses can no longer afford to ignore the threat from within.

Internal fraud made up more than a quarter of the £1.19bn of fraud losses recorded in cases brought before UK courts in 2008 according to KPMG's annual Forensic Fraud Barometer. The report reveals that employee fraud across all UK organisations grew by six times in 2008 compared with the year before.

Analysts say the figures for enterprise fraud are likely to increase in 2009 as a direct result of the poor economic climate around the world. As the effects of the economic downturn begin to take hold at every level, the temptation to commit fraud by inflating expense claims or passing on information to organised crime is greater than ever.

It is no surprise that managers are the biggest culprits, accounting for 56% of internal fraud. They are in a better position to abuse their position of trust and have authorised access to a greater number of company resources.

Non-managers may soon catch up, however, with growth in fraud by this group in 2008 outstripping that of managers by 133%.

Hitesh Patel, fraud investigation partner at KPMG Forensic, says internal fraud is becoming more prevalent and should set alarm bells ringing within organisations.

"In difficult times, internal fraud could even become the tipping point between the survival and demise of an organisation," he says.

Businesses are turning to IT systems to detect and prevent internal fraud, but many are failing to address the full complexity of the problem.

Analyst firm Quocirca is preparing a report on internal fraud. Quocirca analyst Bob Tarzey warns that businesses have not addressed this issue to the extent that they need to.

Most organisations are implementing point systems that look for specific, well-known types of fraud, says Shachar Mor, senior consultant at information security firm Comsec Consulting.

These typically do not address the full complexity of the problem because fraud is becoming increasingly sophisticated and is often made up of several smaller activities across the organisation.

A point system aimed at a specific activity is not going to make the connections to identify more complex patterns of fraud activity, says Bart Patrick, head of risk at SAS UK.

Fraud is multidimensional and, therefore, businesses need to adopt a multidimensional approach, he says. The only way to reach beyond the 20% of well-known frauds is to take a data-driven approach.

This involves tapping into all the data sources within organisations such as e-mail, building access logs, telephone records and employee database activity.

Analytics technology can use all this information to uncover hidden patterns of activity linked to fraud and enable organisations to prevent fraud when similar patterns are detected in future.

The most difficult type of fraud to tackle is the fraud that goes undetected, which experts in the field have suggested is about 40% of all fraud carried out, says Patrick. Large financial institutions commonly use analytics to help provide near real-time alerts about unknown fraud by detecting and connecting anomalous data to identify potential fraud activity.

Using this approach, data can be pulled together from multiple sources to create and run a fraud risk model to score a transaction and send the result to a bank in under 40 milliseconds. This capability obviously involves an extensive data integration project, which is likely to be out of the reach of organisations that do not have the financial resources of multinational banks.

Fraud analytics

New technology from software firms such as startup Intellinx is likely to fill this gap by providing a way of using analytics to combat fraud without the need for system integration.

The Intellinx software uses an agent-less network traffic sniffing tool to collect and pass information from all company IT systems to its analytics engine to identify potential fraud. The technology can be deployed within a single day and does not require expertise to link it with each information system used in an organisation.

This enables a near real-time fraud alert capability with full activity recording and replay in software that can be used against both known and unknown types of fraud in an organisation.

Fine-tuning the software can take up to four weeks, says Orna Mintz-Dov, chief executive of Intellinx, but organisations will have the ability to record all transactions out of the box. This technology has been deployed in the US, where police authorities were able to immediately block any inappropriate internal requests for information on president Barack Obama.

Endpoint management

Another innovative way of gaining visibility and control of internal systems and data is using agent-less endpoint management technologies.

Like the Intellinx software, the management system from endpoint security supplier Promisec is designed to enable fast, centralised and easy deployment with little impact on network performance.

Endpoint management can enable organisations to get visibility of what users are doing with internal data, says Ari Tammam, vice-president of channels at Promisec. Organisations can also control company data by enforcing policies through every device used to access the network, he says.

The software monitors and blocks any changes to software and security settings, says Tammam, to prevent employees from intentionally or unintentionally opening up opportunities for fraud.

Tracing user transactions

Security supplier First Ondemand is pioneering yet another innovative anti-fraud technology to provide cryptographically secured unique identities for users, transactions and physical goods.

Fraud can be prevented if an organisation can identify and authenticate every person in its business processes, says Peter Warner, head of financial sector business development at First Ondemand.

The firm has developed software in partnership with Oracle to enable organisations to create mass serialised identities and then track them through all business processes and IT systems.

The technology is being used to prevent fraud by authenticating pharmaceuticals, recipients of parcel deliveries and users of electronic train ticketing services.

Shout about anti-fraud

Visible roll-outs of anti-fraud technologies alone can help organisations reduce fraud, says Comsec's Shachar Mor, who specialises in enterprise fraud.

Once an organisation can demonstrate its capability to identify suspicious activity, it makes employees aware that there is a "dog in the house" so they are less likely to commit fraud, he says.

Technology can vastly improve an organisation's ability to deter, detect and prevent fraud, but it will not address business process failures that often create opportunities for fraudsters.

Fraud often occurs where there is a breakdown of control, typically when processes are handed from one department to another within an organisation, says SAS's Patrick.

Knowledge of processes within an organisation is an increasingly important component of successful fraud prevention, says Nissim Bar-El, chief executive of Comsec UK.

Fraud of some kind is a threat to most organisations, but Bar-El says few have the ability or budget to combine anti-fraud technologies with knowledge of business processes and user behaviour.

This is likely to drive demand for comprehensive fraud protection to be delivered as a more affordable service from a third-party supplier, he says.

Such a service would put within reach of most businesses a combination of process knowledge with cutting-edge technologies from firms such as Intellinx, Promisec and First Ondemand.

Collaboration across industries is another key component missing from many organisations' fraud prevention strategies, says Patrick.

The future of fraud prevention must include some element of information sharing across industries and regions, he says, because fraud seldom operates in isolation.

Patrick is not in favour of devolving responsibility for fraud prevention to third-party suppliers, but concedes that some organisations may have a need for doing that.

"If such services can enable wider collaboration on fraud prevention, I am fine with that," he says.

"Organisations that work together and do all they can with data and technology will get the best result," he says. ●

Read more on IT risk management